Hacking someone's passwords can be really easy if the authentication process is not correctly secured. Have you ever wondered what kind of attacks do hackers do to get your passwords? In this article we are going to explain the main risks the authentication processes may face and how to secure them, guided by the talk given by our teacher Jose Carneiro.
This explanation is for beginners and you don’t need to have any coding skills but if you want to access all the coding used for this article, you can check Jose’s github. There are a few assumptions that should be made when creating or working with an application to make sure that minimum potential security issues are covered:
Before starting with the different scenarios and vulnerabilities we are going to explain and solve, let’s clarify what does it mean to hash a password. Hashing passwords is the basic step to protect authentication from a developer’s point of view. Imagine that you are logging in into your Google account: Google won’t save, as we may think, the password as plain text since this would be very risky (whoever has access to the database, will get the password). Instead, Google will save a transformation of the password, from the original text to gibberish. This process is what we call hashing and it’s crucial to make things a bit more complicated for hackers.
For example: if your password is 4623 and we apply a hashing process that transforms the password into 4+6+2+3=15, the hashed password will be 15. Therefore, if there is an attack the hackers will get the number 15 as a password but they won’t know the hashing process and the original password won’t be easily guessed. So… let’s start with the different vulnerabilities and scenarios we may encounter.
How can we make our password stronger? What are the main characteristics of a weak password? Well, there are three aspects to keep in mind when creating a password:
For example, if an application allows users to authenticate using weak passwords and has a poor hashing process, it can be easily stolen with a bruteforce attack.
Are you enjoying this article? Keep learning about Cybersecurity!
Take the first step into tech and find out more about our Cybersecurity bootcamp
With the function [bruteforceAuthentication] given a certain email will make a request to the application. The objective is to sign in with that email and one of the passwords included in the most commonly used password list. The function will try every single password until it finds the right one.
The list starts running and it can take this function as little as 1455 attempts and only 31 seconds to find the password. Of course, this is the worst scenario and that’s why more layers of security are important. This is the reason why in every application, developers need to make the user come up with a password that is not in the list. However, the hacker can also try every possibility. So… what other vulnerabilities and solutions can we face?
Let’s imagine we are working with a simple platform that asks for sensitive information such as the email address, password, social security number and credit card number. The password isn’t required to be strong and the algorithm is MD5 (which is a fast hashing algorithm).
What is the importance of slow versus fast hashing algorithms? Easy! If the algorithm is fast, it will take little time to check all the passwords, whereas if the algorithm is slow it will take longer to get it - and the user experience will be the same. Using the MD5 algorithm is almost like no hashing at all.
The algorithm HashBcrypt is slower and makes the authentication process more secure. Any developer can do it and the user won’t notice the difference. The database analysis is slower, which means that the algorithm we choose can make a big difference: instead of being broken in a few seconds it will be broken in years.
One way to protect the user passwords is to limit the number of attempts someone can make to access an application. Stopping the authentication process means that the attacker won’t be able to do request after request after request… so the bruteforce attack will be prevented. For example, we could create a function like this: if you make more than 50 requests in 1 hour, your account will be blocked.
Another option is to use the attempt cap solution. In this case, the function will be: if the user tries to authenticate more than 5 times, the account will be blocked.
When the password is the only authentication system to access an application, we say there is a single point of failure. If the attacker gets the passwords, the door is open to all the information. That’s why adding additional authentication factors increases the difficulty for hackers. Some solutions for multi-factor authentication are:
These are the most common mistakes and vulnerabilities in an authentication process. If you want to take a look at the code itself, check Jose’s github and visit other sites such as Computerphile Youtube channel. If you are willing to learn more about this field, check out our Cybersecurity bootcamp!
Ready to join?
+8,000 career changers and entrepreneurs launched their careers in the tech industry with Ironhack's bootcamps. Take a step forward and join the tech revolution!
What would you like to learn?
Where would you like to study?
Enhance Your Home Wireless Network Security I Ironhack BlogRead more...
Alumni story: Studying Cybersecurity from scratch, by Gabriel AyelaRead more...
Cybersecurity is much more than hackingRead more...
What does a Cybersecurity professional do?Read more...
Decrypting Cybersecurity buzzwords: the magic of complicated termsRead more...
5 Key Skills needed to succeed in CybersecurityRead more...